Merge pull request #1967 from bbmilan/msi-cognitive-user-role-assignment

arnaudlh · web-flow · commit a3156b8e076a · 2024-04-23T09:32:41.000+07:00
MSI role assignment for accessing the Azure Open AI service
diff --git a/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars b/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars
@@ -0,0 +1,45 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "uksouth"
+  }
+}
+
+resource_groups = {
+  rg1 = {
+    name = "example-msi-openai-rg1"
+  }
+}
+
+cognitive_services_account = {
+  primer = {
+    resource_group = {
+      key = "rg1"
+    }
+    name    = "pinecone-llm-demoopenai"
+    kind    = "OpenAI"
+    sku_name = "S0"
+    custom_subdomain_name = "cs-alz-caf-llm-demoopenai"
+  }
+}
+
+managed_identities = {
+  workload-msi = {
+    name = "example-msi-openai-rolemap-msi"
+    resource_group_key = "rg1"
+  }
+}
+
+role_mapping = {
+  built_in_role_mapping = {
+    cognitive_services_account = {
+      primer = {
+        "Cognitive Services User" = {
+          managed_identities = {
+            keys = ["workload-msi"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/roles.tf b/roles.tf
@@ -124,6 +124,7 @@ locals {
     azurerm_firewalls                          = local.combined_objects_azurerm_firewalls
     backup_vaults                              = local.combined_objects_backup_vaults
     batch_accounts                             = local.combined_objects_batch_accounts
+    cognitive_services_account                 = local.combined_objects_cognitive_services_accounts
     data_factory                               = local.combined_objects_data_factory
     databricks_workspaces                      = local.combined_objects_databricks_workspaces
     dns_zones                                  = local.combined_objects_dns_zones
